I don't disagree with the logic. But two things kept popping up in my mind while reading the essay.
#1: Organizations from small to midsize can't afford to do anything about this. They don't have the resources in terms of the people-process-technology triad. AI might help in this regard down the road but I don't see it yet.
#2: I can't recall the actual stat but successful adversary campaigns only use exploitation code like 20% of the time (check me on that number but it's not more than 40%). Addressing this issue is expensive for less than half of the attacks. What do you do for the other half if you've spent your budget on this?
I see a lot of midsized businesses spending over half their time/labor on vulnerability management and it makes no sense for them to be putting so much time and resources into it. The strategy that makes the most sense for small to midsize organizations is to use SaaS and managed services for server workloads and automate patching on workstations - remove/outsource the need for patch and vulnerability management as much as possible.
The 2025 Verizon DBIR has the number at 20%. My own research suggests that only a handful of vulnerabilities (probably less than a dozen) account for the majority of that. So… we can’t ignore it, but it’s only a fifth of the problem, so we can’t afford to spend too much time on it either.
I thought Risk-Based Vulnerability Management (RBVM) had been overcome by events - namely Kenna getting bought, and I think recently going EOL.
Fixing the right vulnerabilities on the right timeline is just a huge challenge as you point out - for a lot of reasons. The 'fix' I've been focused on, especially in middle market companies is resilience and recovery (plus patching where you can).
There's also an organizational function tied to roles and responsibiliites - separating the VM identification from the pattching fix feels artificial today - 20 years ago we needed the separation for honesty and integrity. Today, and looking at the future, hiding known issues is only going to get harder in most organizations.
I don't disagree with the logic. But two things kept popping up in my mind while reading the essay.
#1: Organizations from small to midsize can't afford to do anything about this. They don't have the resources in terms of the people-process-technology triad. AI might help in this regard down the road but I don't see it yet.
#2: I can't recall the actual stat but successful adversary campaigns only use exploitation code like 20% of the time (check me on that number but it's not more than 40%). Addressing this issue is expensive for less than half of the attacks. What do you do for the other half if you've spent your budget on this?
I agree on both counts!
I see a lot of midsized businesses spending over half their time/labor on vulnerability management and it makes no sense for them to be putting so much time and resources into it. The strategy that makes the most sense for small to midsize organizations is to use SaaS and managed services for server workloads and automate patching on workstations - remove/outsource the need for patch and vulnerability management as much as possible.
The 2025 Verizon DBIR has the number at 20%. My own research suggests that only a handful of vulnerabilities (probably less than a dozen) account for the majority of that. So… we can’t ignore it, but it’s only a fifth of the problem, so we can’t afford to spend too much time on it either.
I thought Risk-Based Vulnerability Management (RBVM) had been overcome by events - namely Kenna getting bought, and I think recently going EOL.
Fixing the right vulnerabilities on the right timeline is just a huge challenge as you point out - for a lot of reasons. The 'fix' I've been focused on, especially in middle market companies is resilience and recovery (plus patching where you can).
There's also an organizational function tied to roles and responsibiliites - separating the VM identification from the pattching fix feels artificial today - 20 years ago we needed the separation for honesty and integrity. Today, and looking at the future, hiding known issues is only going to get harder in most organizations.
If you can’t segment it, monitor it, also can’t patch it fast, it might be time to consider moving that function to SaaS!
Very poetic!